IT Security: the Least Understood Management Function in Government?

Security management could use improvement in appreciation, awareness and adoption.

Security breaches are in the news daily and aren't unique to the public sector. Information mismanagement, data loss and poor malware protection result in losses across virtually all business sectors and organizations - just check the latest headlines. What makes government unique is its continuous, almost incomprehensible struggle for more money to spend on additional security, while highly visible breaches continue to plague victimized agencies - exposing their mission-critical operations and information to malicious hackers.

It's not that government is indifferent to the threat. Without question, security breaches remain a major public-sector concern. The problem is that despite the fear factor, IT security remains one of the least understood management functions within government organizations. This lack of understanding is directly responsible for security initiatives not receiving proper attention during the budget process.

To have a seat at the table during budget negotiations, CIOs must improve in three security management areas. The "Three A's of Change" are: appreciation, awareness and adoption.

Appreciation

According to the 2008 Verizon Business Data Breach Investigations Report, nearly 87 percent of all security breaches - estimated to each cost an average of $4.8 million - could've been prevented with basic security controls. The report is easy to appreciate: Proper security precautions prevent data breaches. Yet, the message still fails to resonate with many public-sector leaders. Why?

Executives are hesitant. Over the years, cyber-security has received a bad rap. Much like the Y2K frenzy, today's media coverage of data breaches, malware threats and international cyber-espionage is found everywhere. With skepticism building since Y2K, many public-sector executives see cyber-security stories as hype that exaggerates the problem's scope and seriousness. Many skeptics also believe the industry falsely portrays the state of cyber-security to increase product sales.

The truth is, cyber-security isn't Y2K fear mongering.

Cyber-attacks are real threats that can have a devastating impact on public-networked infrastructure if not taken seriously. According to the United States Computer Emergency Readiness Team, the total number of reported government cyber-security incidents increased to 37,213 from 23,632 between the '06 and '07 government fiscal years, and federal incidents grew to 12,986 from 5,143 during the same span. If each of these security incidents resulted in $1 million of collateral damage (well below the Verizon investigation's average cost of recovery), consider the impact data breaches already have on public systems.

Calculating the Cost

A major obstacle for business executives to fully appreciate security's value is quantifying the real cost of a security breach. In terms of return, government's technology priorities are aligned to reduce excess spending or improve mission-critical services. While it can be argued that security is always mission critical, the tangible benefits of proactive security are evasive and difficult to quantify. Security can't be calculated in a simple return-on-investment computation. The only true way to assess return on security is by comparing the cost of implementing security versus the cost of a security breach. The downfall of this approach, of course, is that the most accurate assessment will come from quantifying a previous security breach within an organization, in which case it's already a step too late.

To begin accurately quantifying security's value, the cost of all compromised information must be considered and recovery steps needed to respond to a data breach. When compiled, these individual recovery costs add up quickly.

For example, the hard cost of a lost Social Security number might include:

monetary loss suffered by the compromised individuals;

business costs of notifying those affected;

services offered to those affected (e.g., credit monitoring); and

organizational budget cuts resulting from the data breach.

Last year, The U.S. Department of Agriculture realized the financial burden of a data breach when more than 63,00 citizens' personal information was compromised. A loan recipient found her Social Security and tax identification numbers intertwined with other data on an online government database, sparking a chain of action that would cost the agency millions of dollars. While the data was removed immediately and a public statement issued, the agency had to notify all 63,000 citizens and provide free credit monitoring services for those with potentially compromised personal information. The credit monitoring alone cost $4 million.

Outside the federal government, almost every state has enacted data notification laws that require state government to contact all citizens affected by a security breach. Therefore, money will be spent on security activities, but the only question is whether it will be proactive (i.e., prevent data breaches) or reactive (i.e., notify citizens of a data breach). The latter could force the public sector to bear the cost of notification and additional services for those exposed to unnecessary identity threats.

When assessing a security breach, these are the most straightforward elements to quantify because they can be reduced to a set dollar amount. However, the hard costs are only the beginning. The more difficult process of determining security's return on investment involves calculating loss at the qualitative level. When constituents' information is compromised, how do you measure the loss of trust? If people lose faith in your ability to protect private information, what will happen to existing e-government initiatives? What new - and costly - programs will need to be put into place? These questions should be addressed when determining security's value.

An IT Management Obstacle

It's not just executive management that fails to appreciate the critical need for improved security. This challenge also exists within IT management, network operations and application development units. The management teams operating below the CIOs and other executive management often view security as an obstacle working against their two chief priorities: performance and cost of goods, as security cuts into the operational dollars allocated for sustaining services.

Why is security an obstacle? For one reason, security is a huge management investment, which adds to an already-long checklist of IT administrative duties. Managing secure network configurations, rolling out software patches, changing passwords, auditing for security compliance and other day-to-day security tasks can strain limited administrative resources.

The management focus on network performance and availability has bred an IT culture that views security as a second-class network requirement rather than a core pillar. This afterthought mentality is directly responsible for the serious lack of security advocacy within most government organizations. Many people who work with the technology every day believe it's a burden instead of an enabler. As a result, there's little pressure from IT management to budget more resources for improved protection. IT managers are already fighting to maintain their budgets, and in this fiscally competitive environment, security usually takes the back seat - despite the expectation for improved service as demand grows.

This view of security can no longer exist if we are to move toward a stronger security posture for public-sector organizations. Business executives must understand that proper protection of citizens' information is a requirement and not a luxury in today's cyber-centric world. With proper protection in place, they can actually reduce the time invested in security management. There are many enterprise security solutions available that automate processes and synchronize security risk management to continuously assess and regulate daily network activity. Security management doesn't have to be a manual- and labor-intensive process.

Proper attention can prevent a large portion of security breaches, which not only prevents damaging citizens' trust in government, but also removes added pressure to IT management operations. Adopting a proactive security stance can avoid a costly, time-intensive cleanup that would take management away from everyday responsibilities for days or potentially weeks. Ultimately proper security can directly benefit IT managers and allow them to focus on the real challenge of making government more accessible.

Awareness

A lack of security appreciation contributes directly to poor security awareness, most notably at the personnel level. This is one of the leading contributors to the human-error factor associated with most security breaches. Security needs to be everyone's business. As government employees, we are directly responsible for protecting citizen information and measures must be taken to increase awareness in the everyday IT environment. The critical step to changing user behavior is to build a secure-minded culture from the ground up. To create this culture, all employees should be educated and tested on security threats and how their day-to-day computer use can affect their organization's security posture.

Much like developing a work-safety program, education needs to be incorporated from the beginning; it's imperative that IT security training is required for new employees. Whether employees are transitioning from the private to public sector, or within the public sector, all agencies work with different levels of critical data, and it's important for employees to know how to uphold their organization's unique information security requirements. The implementation of basic acceptable use policies is a good start. For example, employees should be familiar with what information can be sent, printed and taken off the premises. Often data loss is unintentional, but it begins with inadequate understanding of appropriate organizational use policies.

Adoption

Proper education on best practices for technology adoption is another missing piece for agencies when implementing security measures to their maximum potential. Security solutions are often chosen with limited understanding of how and at what scale they should be deployed, so the solution may not adequately protect the various reservoirs of an agency's critical data. A good example is encryption. In response to growing government data losses, many agencies are turning to encryption technology. However, once procured, there's a great deal of confusion about deploying the technology.

Questions about encryption include:

What should be encrypted?

What encryption levels are needed for what types of information?

Where should it be deployed to immediately raise overall information protection?

Another security management problem that agencies face is the limited reach of compliance mandates required by the federal Office of Management and Budget. Security mandates, such as the Federal Information Security Management Act (FISMA), are developed for broad security adoption and aren't agency specific. Many government agencies trust that the requirements will be enough to protect their critical information, never stopping to think about whether these mandates adequately address security for their unique mission. Pursuing the bare minimum is the unfortunate state of our current security culture, and it's dangerously shortsighted in terms of protection. More often than not, if the security pursuit ends with a limited set of requirements, the appropriate security levels won't be in place, thereby striking a poor balance between information protected and actual security needed.

Another disputed issue concerning mandates like FISMA is their failure to raise the public-sector culture needed to create actual change in our national cyber-preparedness strategy. Because security reporting is often approached as a seasonal routine, agencies aren't thinking "security" outside of the reporting deadline. If anything, this approach is counterproductive to instilling a governmentwide view that protection is a day-to-day responsibility.

Although government security has come a long way over the past 10 years, there's still much ground to cover. Changing the way we think about security is still a major milestone we have yet to reach. Until we pass this threshold, there will be recurrent problems with information mismanagement and an ongoing struggle to properly fund security initiatives. A shift in security appreciation, awareness and adoption is needed if we are to keep pace with the growing cyber-threats targeting public infrastructure and ultimately, U.S. citizens. Data breaches cannot be an occupational hazard. If we fail to protect our constituents, there will be much more than data at risk.